Web lists-archives.com

Re: SSL not required for setup.exe download




On 2019-03-11 07:43, Archie Cobbs wrote:
> On Sun, Mar 10, 2019 at 10:51 PM Brian Inglis wrote:
>>>>> Is there any reason not to force this redirect and close this security hole?
>> There are apparently reasons not to force this redirect as it can also cause a
>> security hole.
> That's really interesting. Can you provide more detail?

Search for HTTP HTTPS redirection SSL stripping MitM attack

>>>> The whole sourceware.org site include cygwin.com uses HSTS which compliant
>>>> supporting clients can use to switch to communicating over HTTPS.
>>>> Clients which are not compliant or don't support HTTPS may still download the
>>>> programs and files.
>>> I don't see how HSTS solves the particular issue that I'm referring to.
>> HSTS redirects requests from port 80 to 443 (HTTPS).
> Not for me. Well, actually I'm getting inconsistent results...
> On Mac OS X, neither Firefox, Chrome nor Safari will redirect to SSL.
> On an old Windows 7 system, neither IE 8 (no surprise there) or Chrome
> redirects.
> However, with Chrome, it does not redirect at first, but once I've
> manually entered https://www.cygwin.com it seems to "realize" that a
> secure site exists, and after that it starts redirecting to SSL.
> I can revert that behavior by clearing the cache.
> So it seems in the case of Chrome, it has to be "taught" about the
> existence of the secure site... which of course takes us right back to
> the original problem.

Some sites, proxies, and CDNs respond with

	HTTP/1.0 302 Found

and redirects to HTTPS:443 followed by the HTTP header.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple